GDPR – One Year On
May 2019 marks a year since the General Data Protection Regulation (GDPR) was brought into force across the EU.
GDPR, along with the Data Protection Act 2018 (DPA 2018) in the UK, was implemented on 25 May 2018 and applies to all organisations which process individuals’ personal data. The regulations cover businesses of all sizes, ranging from sole traders to global corporations, although the rules differ in some respects depending on the size and activities of the organisation.
Across the EU, data protection regulators have so far issued fines totalling more than €56 million as a result of breaches of GDPR.
In the UK, the Information Commissioners’ Office (ICO) is still busy publishing the results of cases which stemmed from the pre-GDPR Data Protection Act 1998, and has not yet published details of any significant fines it has issued under GDPR – although we can expect these to start filtering through in the next few months.
Despite this, the publicity surrounding GDPR means that many businesses will have seen the practical effects of it in their dealings with their customers and staff.
In relation to staff specifically, an increase in data protection awareness means that we have seen an increase in the number of “Subject Access Requests” (SARs) being brought by employees who want to know what their employers have been doing and saying about them and how they have been using their personal information. The strict rules on SARs under GDPR mean that employers are now nearly always obliged to gather and hand over this information within a month of a request being made.
As a reminder of businesses’ data protection duties, every organisation should:
Be registered as a data controller with the ICO
Have a privacy notice for employees, workers and contractors (and also for job applicants), setting out how their data may be held and processed
Have privacy notices for customers, clients, suppliers and anyone else whose personal data they may handle
Have a data protection policy setting out how employees must handle the personal data of others, and the consequences of breaching that policy
Have data sharing agreements in place with any third party service providers to whom they may pass personal data
Conduct regular data audits and, when necessary, Privacy Impact Assessments when carrying out non-routine data processing activities.
It should also be noted that the rules on data protection in the UK are unlikely to be loosened by Brexit, despite the fact that GDPR is an EU-wide law. The UK Government has committed to preserving the effects of GDPR in the UK at least until the end of any transition period (if the Withdrawal Agreement is ratified by Parliament) and is likely to then seek an agreement with the EU that the rules should continue indefinitely.